CVE-2026-11764 (GCVE-0-2026-11764)
Vulnerability from cvelistv5
Published
2026-06-09 11:54
Modified
2026-06-09 13:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-280 - Improper handling of insufficient permissions or privileges
Summary
When creating an export of all reusable media, the secrets of connected
gift cards were included in the export even if the user creating the
export does not have permission to view gift cards. This is inconsistent
with the UI and API where only the first letters of the gift card
secret are shown. Therefore, it allows circumventing a permission
boundary.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:49:30.786909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:49:42.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.0",
"status": "affected",
"version": "2024.1.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.3.3",
"status": "unaffected"
}
],
"lessThan": "2026.4.0",
"status": "affected",
"version": "2026.3.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.4.3",
"status": "unaffected"
}
],
"lessThan": "2026.5.0",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"changes": [
{
"at": "2026.5.1",
"status": "unaffected"
}
],
"lessThan": "2026.6.0",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mr. JDH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary.\u003c/p\u003e"
}
],
"value": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 3.6,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper handling of insufficient permissions or privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T11:54:37.865Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Data exposed without proper permission",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-11764",
"datePublished": "2026-06-09T11:54:37.865Z",
"dateReserved": "2026-06-09T08:08:24.188Z",
"dateUpdated": "2026-06-09T13:49:42.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-11764\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-09T13:49:30.786909Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-09T13:49:34.715Z\"}}], \"cna\": {\"title\": \"Data exposed without proper permission\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Mr. JDH\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 3.6, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/pretix/pretix\", \"vendor\": \"pretix\", \"product\": \"pretix\", \"versions\": [{\"status\": \"affected\", \"version\": \"2024.1.0\", \"lessThan\": \"2026.3.0\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"2026.3.3\", \"status\": \"unaffected\"}], \"version\": \"2026.3.0\", \"lessThan\": \"2026.4.0\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"2026.4.3\", \"status\": \"unaffected\"}], \"version\": \"2026.4.0\", \"lessThan\": \"2026.5.0\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"2026.5.1\", \"status\": \"unaffected\"}], \"version\": \"2026.5.0\", \"lessThan\": \"2026.6.0\", \"versionType\": \"python\"}], \"packageName\": \"pretix\", \"collectionURL\": \"https://pypi.org/\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://pretix.eu/about/en/blog/20260609-release-2026-5-1/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When creating an export of all reusable media, the secrets of connected \\ngift cards were included in the export even if the user creating the \\nexport does not have permission to view gift cards. This is inconsistent\\n with the UI and API where only the first letters of the gift card \\nsecret are shown. Therefore, it allows circumventing a permission \\nboundary.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eWhen creating an export of all reusable media, the secrets of connected \\ngift cards were included in the export even if the user creating the \\nexport does not have permission to view gift cards. This is inconsistent\\n with the UI and API where only the first letters of the gift card \\nsecret are shown. Therefore, it allows circumventing a permission \\nboundary.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-280\", \"description\": \"CWE-280 Improper handling of insufficient permissions or privileges\"}]}], \"providerMetadata\": {\"orgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"shortName\": \"rami.io\", \"dateUpdated\": \"2026-06-09T11:54:37.865Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-11764\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-09T13:49:42.672Z\", \"dateReserved\": \"2026-06-09T08:08:24.188Z\", \"assignerOrgId\": \"655498c3-6ec5-4f0b-aea6-853b334d05a6\", \"datePublished\": \"2026-06-09T11:54:37.865Z\", \"assignerShortName\": \"rami.io\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…